Besides the many, many stretches of the imagination required for his story (e.g., it infects the firmware on all major brands of USB drives, he never extracted a binary blob or sent the infected device to the manufacturer, the audio communication silliness, the fact that he apparently thinks infection could spread through the power cable, and so on...) the biggest issue to my mind is that if this is so communicable, why in all the time he's had it under observation has it never spread anywhere else? Also, why has he not shown it to a colleague. This is the sort of thing that goes over huge at conferences.

Name one reason why he didn't send the BIOS or a copy thereof to be examined by the OEM....***after three years of not being able to fix this***.

My next question would be: why did it take him so long to figure out that the USB might be the vector? But before you answer that question ask yourself this also: why hasn't he contacted the major USB drive manufacturers since this seems to be FAR more about a vulnerability at the USB controller level(far, far, far below control of the OS) that has been leveraged to then exploit writing a new firmware?

If this is a USB hardware exploit then the rest of this is superficial but after 3 years, you'd figure that someone would have found another copy of this thing by now yet he's the only one. If he wasn't aware that it spread through USB for 3 years, the odds of him bringing an infected jump drive to a friend or colleague's computer where it would then spread even more are so high that I can't believe no one has asked these questions.

IF it's a USB exploit, I'm fucking impressed but since he's played the "how many people can believe that I'm this stupid" card so many times in his "research" on this(I'm saying nothing of his other experience, mind you), I'd say it's likely a hoax of some sort.

If he wasn't aware that it spread through USB for 3 years, the odds of him bringing an infected jump drive to a friend or colleague's computer where it would then spread even more are so high that I can't believe no one has asked these questions.

No doubt his friend or colleagues all have more smarts then to plug in some random jump drive.I seriously don't even trust these things myself any more. I hate it when someone sends me something on a flash drive.

Never the less, his friends and colleagues didn't get infected from his jump drive, which leads me to believe they are considerably more clever then he is, and are probably wary about letting him near their computers.

It took him 3 years to figure it out while machine after machine was getting infected in his lab.

Firewire yes. Firewire can muck around with system RAM directly.USB cannot it all has to go via the CPU.

The entire premise of this is ridiculous. No sound card can go beyond about 24khz which is barely ultrasonic and not suitable for data.Plus hacking many different chips, some which do not even have firmware, seems too unlikely.

none of the audio analog circuitry on the frontend will let it pass. Go ahead, look at the output of your best soundcard and a ramp generator and watch it roll off rapidly on the scope when you go above 35khz.

No there is NO plausibility, Please, Please stop adding credibility to this bullshit in this made up bit of fiction.

None of the electronics in your computer is designed for ultrasonic, and in fact it's freaking filtered out to get rid of problems. I dont care if the chips can do 99ghz, the analog components for filtering on the input and output significantly attenuate it, then you have the fact that the speakers can not generate it nor the microphones having the ability to receive it.

I think many of the commentators both here and on Ars Technica are making a basic mistake. No one claims that the machine is infected through its microphones. Duh! How would it know to listen and interpret noise as instructions. The claim is that once infected, the machines communicate using their speakers and microphones.

Is it possible? Sure. Do I consider it likely? No. It's one Hell of an effort for very little gain... in general. But we all have hobbies, so someone may have written a virus that infects through USB drives, overwrites BIOS, and resists the clean up of physically disconnected machines by communicating via sound.

Do I believe this particular story? Hmm... no. Mostly because, despite the reputation of the author, the article makes it sounds that basic mistakes were made during the cleanup process, and because not enough information has been shared with the community.

But if I was told the story is true, I could come with a great conspiracy theory to explain it. The author tries to keep all the fame for himself, the author is being threatened by the high tech agency that developed the strain but let it escape, the virus has alien origin...

It has not been my experience that computer speakers are capable of making sounds much outside the range of human hearing, nor computer micophones capable of picking such sounds up. Maybe he buys comptuers with extremely high end sound equipment, but I'm a bit skeptical that nobody noticed the audio.

Maybe he sniffed a little too much of the magic smoke the virus let out.

A small laptop speaker can make very high frequency sounds. I don't know about microphones, maybe the same applies. A high-frequency sound has also the benefit of travelling long distances in air. However it might be that the speaker and microphone circuitry have some frequency filtering going on to make the signal nicer, which would defeat the idea. Other than that, communication between computers outside the hearing range is technically possible.

I just tested my PC's speakers / microphone... The power output is rock steady up to 15kHz, then falls to 75% by 20kHz, 50% by 30kHz, and about 10% by 40kHz. Then it stays that way to fiftish kHz, which is as far as my loop went.

I could already not hear it by 14kHz... damn I'm old. Last time I did something like this, I was OK up to 17kHz, and back at the Institute I was fine at 19kHz.

I think that no one hear 30 kHz, and you still get 50% power on my PC... which is nothing special. You can definitely get decent communication outside of hearing range.

Feed a "subwoofer" a 19kHz sine wave. What comes out? Is it all reduced to heat? Go ahead and try, and you'll see: Sound comes out. Measurably. At 19kHz. (probably with a whole lot of nasty harmonics starting at 38kHz, and a great deal of heat compared to other frequencies, but that's not the point.)

Meanwhile, please define "practical."

If "practical" means sending low-speed data between two computers in close proximity at a frequency that is difficult or impossible for an

After the initial infection and subsequent cleaning (let's assume it survived somehow - hell, it might have been a compromised USB keyboard), the issue was forgotten for a while until the mentioned symptoms started appearing - since they seemed to be mostly inconveniences that often plague BIOS/UEFI (If I had a buck for each hour I've spent figuring out how to boot with drive X on system Y...) or could be atributed to more mundane causes, the investigation of these issues was considered not prioritary, as there were seemingly more important tasks to do.

More recently, a connection was established that suggested it might be more than just random bad luck - this then took a while to investigate, especially because ruining hardware (desoldering the BIOS chip to extract its firmware) is typically the last resort when investigating something.

Again, this is just speculation as to why this whole story took three years so far.

And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE). If you come to the conclusion that information is being exchanged after removing all network interfaces, it makes perfect sense to try (it's not exactly hard...) to unplug the laptop, to eliminate a potential hardware backdoor. Honestly, what I considered paranoia not too long ago is starting to look more likely every day...

And regarding the power cable: Powerline networking is commercially available and well-understood, as is transmitting data along with low-voltage DC (PoE).

Yes, but you need special hardware to do it. I don't see any way to do this with commecial pc/laptop power supples without first hacking the hardware.

I find the idea of using a computers' microphone and speaker as a kind of high frequency modem highly intriguing. I did read enough of TFA to see that once he physically removed the speaker and microphone from his computer the mystery network packets stopped. That's pretty strong evidence this is one of the attack vectors if it is indeed true. I don't know the

oh and if you're such deep in paranoid country it doesn't help much to do those steps since this is already assumpting that they're infecting your firmwares on all devices;)

Ya, no kidding! For example Dell PowerEdge servers are pretty consistent throughout each generation. They're good servers, but there are many components onboard that have upgradable firmware. I can name more than a few. BIOS, BMC, iDRAC, Broadcom NIC, and PERC (RAID card). I'm not sure if these devices require the firmware to be signed

if this is so communicable, why in all the time he's had it under observation has it never spread anywhere else? Also, why has he not shown it to a colleague. This is the sort of thing that goes over huge at conferences.

Because, he speculates, the the initial infection of a machine must be done via USB stick, and being the professional security researcher that he is, he nonchalantly plugs his USB sticks willy-nilly back and forth between his known infected machines and his brand new machines.

A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it.

This guy apparently has no concept of a clean room for virus research.

I don't discount the ability to use sound for communication between infected machines, but clearly you have to be infected FIRST for that to work.(Not to mention hav

As the article explains: To us in the security community, none of the individual pieces raise an eyebrow. We know USB is an infection vector. We know BIOS/UEFI can be compromised. We know that when it hits the firmware, extraction isn't as easy as a dd anymore. We know communication via power cable and audio is possible - the last shouldn't really surprise anyone as it's been just earlier this year that audio was discussed as an alternative to NFC, because it doesn't require new hardware (every smartphone already has speakers and microphones).

And after Stuxnet and Flame, we know that some of the really advanced malware that we've been talking about at conferences is not only possible, but real.

Still, finding all of this in one package is fascinating, and if it really is 3 years old, I don't want to know what the current version looks like.

I remember BIOS viruses back when I did support for Windows 95, and damn they were nasty. Plug a loaner floppy into an infected machine and by the end of the day you could infect an entire computer lab. There was one that (IIRC) would infect both Phoenix and AMI BIOS machines, but did nothing to Award boards. I don't see why people think that a cross-platform BIOS infector is so out of the question.

I have a hard time believing that you could pack enough logic into bios that could anticipate and counter your actions in OSX, BSD, and Windows.

Otherwise, this code must maintain a link to the outside world, relying on equipment that may or may not be anywhere near by, and then a human would have to monitor this machine and send commands back. That would take an insane level of commitment.

If this was real, wouldn't every security researcher, hardware manufacturer, and government in the world be at this dude's lab to get in on the action?

Back when I had an altair 8800 we used to play a teletype game called star trek. We kept a radio tuned off channel on in the room. When you fired a laser the code executed a fast loop that emitted EMI in a ramping frequency. the radio would make a phaser noise.

IN Europe it was discovered that the most common brand of voting machine would emit EMI differently depending on whether the character in the displayed name had an umlat or not (special character set). SO you could tell who people voted for when one candidate had an umlat.

Article: "Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped."

OK, so now you have a single action (eliminating acoustic duplex mechanism) and suddenly the data transmission ceases. That is pretty convincing that an 'entity' has wound up programming a system to manage/infect/reinfect computers near each other even when all I/O methods are turne

wow. simply... wow.16 BYTES(it could be much higher) could allow for a lot of data to exchange. Depending on the time.And it's exchanging information with another infected system.This is coming form an expert who runs pwn2own(Dragos Ruiu), so I would give it a little more thinking if I where you.

I don't give blatant trolling any thought. Airgapped room? You're not bypassing walls at those frequencies, not with laptop speakers or internal computer speakers. Even if you had speakers powerful enough to get past that, you'd need a hellaciously sensitive microphone on the other side, and equally powerful speakers to transmit back if desired. Can we say feedback loop? Not only must the microphones deal with trying to pick up a faint noise through an airgap, they're also trying to ignore the noise of thei

Using FM above what most people can hear you can blast a squarewave at full power that could easily fill the room, if the door is open you could probably receive it in adjoining rooms. Come to think of it you could probably transmit in parallel on a number of different frequencies as long as they arent multiples of each other. It wouldn't be gigabit but it would be plenty fast for sending command and control information.

Actually, it's a very easy option. Usually the microphone cable (and conveniently, the camera cable if there's a bezel camera) are directly underneath the keyboard. In most non-Apple laptops, that's easy access with just a few underside screws and under-battery screws. And funnily enough, you usually get speaker access while going for those cables anyways, so it's an all-in-one trip maybe involving 8 or 9 screws.

Read it and now it makes sense. Target computer is not connected to network. Target computer and bridge computer are infected. target and bridge send each other packets using sound. bridge sends packets over network to attacker.

Please, I'm as dumb as a blade of grass and I see why this explanation is hooey. Target is not connected to the network. What on the target got the audio network up and running? Magick? USB stick? That's sneakernet. Nothing? then the audio on the target isn't talking or listening.

Not hooey. The idea is that people transfer files with USB between the air gapped machine and network connected machines. You can get your malware on both by spreading the virus to USB drives. Using this technique the air gapped machine is connected to the network.

1) it is impossible to contaminate a computer with sound. You would have to force the targeted non infected computer zto 1) open the micro channel 2) start saving the data in a format which 3) would be executable and 4) execute it and I probably forgot a few other improbable points. Most likely a computer was contaminated by other means, like USB sticks. Furthermore , ultra sound ? Frequencies around 20 KhZ ? I am doubting that in a normal room with air, and with other sound, those register properly. But I

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

This is as far as you need to read. Geez, Clearly this virus has infected the system and re-written power management subsystems to utilize the CMOS battery to provide enough juice, probably reprogramming an EEPROM on the I2C system to execute code and infect other systems.

I was thinking the same thing...then I realized the author of the article probably just did a crappy job of making it clear that he was talking about laptops that had their power cords unplugged to rule out powerline networking and the like. I'm willing to give them the benefit of the doubt on that one, since claiming that an unpowered computer can receive signals from an infected machine is patently absurd.

A staggering number of people commenting on this story seem to have failed to read and comprehend this article. There must be a few dozen comments stating that it's impossible to infect a machine with malware via audio. I can't find any mention of this happening in this article. The section that speaks of the communication via sound is referring to two previously infected machines. They are already infected, so now they communicate.

I don't know if this is complete BS or not, but at least read and comprehend the article before pouncing on it and making yourself look like an idiot for not reading it.

It seems like the vast majority of people started flaming without reading the author's comment [arstechnica.com], so here it is:

Dear Ars readers,

As a journalist for more than 17 years, I have never written a spoof story for April Fool's Day or any other holiday. I certainly had no intention of doing so with this article. It's completely coincidental that this story ran today, on Halloween.

The ninth paragraph of my article reads:

Quote:
"At times as I've reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw."

Here and elsewhere in the post, I have tried to make clear that many of the details of this article sounded far-fetched to me. They still do. I have also tried to be transparent that no one has independently corroborated Ruiu's findings. That said, these same details have been publicly available for more than two weeks, and a large number of Ruiu's peers find them believable.

I decided to resolve this conflict between my own skepticism and the reaction of Ruiu's fellow security researchers by reporting accurately what all of them said and making clear that so far no one has peer reviewed Ruiu's research process or findings.

I have no doubt that researchers will pore over every laptop and USB drive Ruiu makes available and independently arrive at their own conclusions. I fully intend to report whatever they find. If they find no evidence to support Ruiu's account, Ars readers will be among the first to know.

1) The assertion is that this malware infects as many bioses on the machine as it can. But a bios isn't big, so instead of containing code to directly infect the main OS, it contains code to setup a mesh network with it's peers to download the appropriate OS root kit.
2) The air gap was on a laptop (with a battery) in a room with potentially infected machines.
3) There never was a claim that a completely clean machine was infected over any method, just that a machine that had been the recipient of a lot of low level cleaning, and disabling managed to demonstrate a full re infection after spending enough timeout the proximity of other infected machines.

None of things asserted here are particularly novel. Infections at all levels bios, aren't novel. Mesh networking, isn't novel. Acoustic networking isn't novel. The arrangement of them to maximize the effectiveness of them is the novel part. But also in retrospect is also pretty obvious. Rather then try to code for all the bios and OS combinations, and all the OS and device combinations, you code for all the bios and device combinations, and then code for all the OS choices in a one off.

Just about every sound card ( and everything else ) in the last ten years had been made in a factory in China. What is to stop the PLA from slipping just this kind of malware into a sound card chip? Maybe they can even activate and update using sounds from a television.

I think the article is complete bollocks, but simple basic DSP isn't that difficult if you use a simple codec. Hell, even a morse code type system with basic CRC checking wouldn't take more than 16k. It doesn't have to deal with echo (high frequency is rather directional), it doesn't have to deal with doppler (few moving objects), and it's obviously a secondary communications channel.

The thing that gives it away for me is that something could embed so deeply without being detected, as USB and networks are